RE: [PHP] Shared SessionIDs?
I'll try the 'msession' road. Thanks again for everybody's input, Guillaume -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:36 PM To: Guillaume Dupuis; [EMAIL PROTECTED] Subject: Re: [PHP] Shared SessionIDs? --- Guillaume Dupuis [EMAIL PROTECTED] wrote: We currently have 3 php servers. Can we use the same SessionID to connect across the 3 systems? Yes, assuming I understand you correctly. There are many ways to address this challenge, but one method is to use a database for your session store. This database can be on one of your three servers or somewhere else. A similar approach is to use an NFS mount to create a virtual filesystem for storing session data. Yet another approach is the msession PHP extension. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Shared SessionIDs?
John W. Holmes mailto:[EMAIL PROTECTED] on Tuesday, November 04, 2003 6:07 PM said: I think you missed the part where he said while keeping secure... :) Storing something like this in a cookie is in no way secure. Hey man! That's why I put the disclaimer... Here's an idea (whether or not it's a good idea is another story): :) But seriously, why is it such a bad idea? I'd like to finally figure this out so I don't keep coming up with them (not that I've ever used any). ;) Chris. -- Don't like reformatting your Outlook replies? Now there's relief! http://home.in.tum.de/~jain/software/outlook-quotefix/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Shared SessionIDs?
From: Chris W. Parker [EMAIL PROTECTED] But seriously, why is it such a bad idea? I'd like to finally figure this out so I don't keep coming up with them (not that I've ever used any). ;) I've got to remember back to what the original thread was about... :) The suggestion, iirc, was to pass an MD5() hash of the username and password in a cookie to identify the user. The problem with this is that cookies are sent plain text and can be intercepted. So, anyone intercepting the cookie and finding out the MD5() hash needs only to create a cookie on their own machine with this same hash to now become the other user. They don't need to know the actual username or password and you're script wouldn't know the difference. Now, there are some scripts that do this (forums, for example) as a sort of remember me feature, but they do it at a trade off for security. Using a method like this is saying that if one user impersonates another, it's not really going to mess up anything on the site, there's not much harm they can do, etc. An impersonated user on a forum may cause a little havoc, but it'd be real TROUBLE if done on a banking site. One way to alleviate some of the security issues is to have the hash unrelated to the username and password and have it change often. That way, even if another user gets it, it's only good for so long. Hope that helps. Contact me offline anytime for more explanation if you want. :) ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Shared SessionIDs?
--- Chris W. Parker [EMAIL PROTECTED] wrote: But seriously, why is it such a bad idea? I'd like to finally figure this out so I don't keep coming up with them (not that I've ever used any). ;) I have a free chapter that explains cookies at the protocol level here: http://shiflett.org/books/http-developers-handbook/chapters/11 The idea of cookies is a very good one, and Netscape deserves credit for the innovation. However, some implementations have been known to have problems. Most notably, Internet Explorer versions 4.0, 5.0, 5.5, and 6.0 all have vulnerabilities that, if not patched, allow anyone to read cookies from any domain. This means that Web developers, such as ourselves, must consider all information in a cookie to be public for the purposes of security assessment. The worst case scenario must be taken into consideration, and when you set a cookie, the worst case is that the contents are compromised. So, getting back to your approach, you store authentication credentials in a cookie, although you mentioned several steps that add obscurity. Even if the data in the cookie cannot possibly reveal the user's authentication credentials, if your session mechanism considers the cookie itself to be an authentication credential, you have already lost. Anyone who can compromise this cookie can impersonate a user on your Web application. A security vulnerability is born. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Shared SessionIDs?
Hi, I am new to PHP, so I hope I phrase this okay :) We currently have 3 php servers. Can we use the same SessionID to connect across the 3 systems? If not, what would you suggest to minimize the number of login prompts, while keeping secure? Thanks in advance, Guillaume Dupuis -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Shared SessionIDs?
Guillaume Dupuis mailto:[EMAIL PROTECTED] on Tuesday, November 04, 2003 2:36 PM said: We currently have 3 php servers. Can we use the same SessionID to connect across the 3 systems? If not, what would you suggest to minimize the number of login prompts, while keeping secure? Here's an idea (whether or not it's a good idea is another story): Store the username+password as an MD5 hash in a cookie, also store the user id. Then on the other servers you can read the user id and use that to pull out the username and password hash (you do hash your passwords within the database right?) from a database and then hash those two and compare the result with the cookies info. Chris. -- Don't like reformatting your Outlook replies? Now there's relief! http://home.in.tum.de/~jain/software/outlook-quotefix/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Shared SessionIDs?
Guillaume Dupuis wrote: Hi, I am new to PHP, so I hope I phrase this okay :) We currently have 3 php servers. Can we use the same SessionID to connect across the 3 systems? If not, what would you suggest to minimize the number of login prompts, while keeping secure? Thanks in advance, Guillaume Dupuis If the servers are only virtual servers on the same physical server and all store their sessions in the same directory, there is no problem, you only need to pass the session ids in all links to the other servers. If you have 3 physical servers, you need to make one of them to store the sessions and others to request that sessions. The implementation depends on your possibilities. You can make the session directory accessible to the other servers using samba or NFS, or you can make a script that will provide session information on request. You will still need to pass session ids to the other domains. Marek -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Shared SessionIDs?
--- Guillaume Dupuis [EMAIL PROTECTED] wrote: We currently have 3 php servers. Can we use the same SessionID to connect across the 3 systems? Yes, assuming I understand you correctly. There are many ways to address this challenge, but one method is to use a database for your session store. This database can be on one of your three servers or somewhere else. A similar approach is to use an NFS mount to create a virtual filesystem for storing session data. Yet another approach is the msession PHP extension. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Shared SessionIDs?
--- Chris W. Parker [EMAIL PROTECTED] wrote: Store the username+password as an MD5 hash in a cookie, also store the user id. Then on the other servers you can read the user id and use that to pull out the username and password hash (you do hash your passwords within the database right?) from a database and then hash those two and compare the result with the cookies info. I don't like this type of approach, because it is basically a way to use cookies as an authentication mechanism, which is not their intended use. Cookies are good for the identification of the client (the purpose of their creation, state management), and sites like Google also use them to allow preference-selection for anonymous users, which seems like another good use. When a cookie is used for authentication, the risk of impersonation is greatly increased. Browsers such as IE allow anyone to read a cookie from any domain (not intentionally, of course), so you should assume cookies to be public information. Obscuring the data within is a good step, but as common parlance warns, it does not eliminate the security risk. Hope that helps. Chris = My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Shared SessionIDs?
Chris W. Parker wrote: Guillaume Dupuis mailto:[EMAIL PROTECTED] We currently have 3 php servers. Can we use the same SessionID to connect across the 3 systems? If not, what would you suggest to minimize the number of login prompts, while keeping secure? Here's an idea (whether or not it's a good idea is another story): Store the username+password as an MD5 hash in a cookie, also store the user id. Then on the other servers you can read the user id and use that to pull out the username and password hash (you do hash your passwords within the database right?) from a database and then hash those two and compare the result with the cookies info. I think you missed the part where he said while keeping secure... :) Storing something like this in a cookie is in no way secure. -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php